From 9618666f9bf47ce18c6f5676f977b1bcd0c8bcb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Sat, 28 Sep 2019 15:06:21 +0200 Subject: [PATCH 1/7] Validates both checksum and integrity --- .../install-update-auth-sha1/yarn.lock | 2 +- src/fetchers/tarball-fetcher.js | 54 ++++++++++++------- src/package-fetcher.js | 22 ++++++-- 3 files changed, 56 insertions(+), 22 deletions(-) diff --git a/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock b/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock index 9772bdb613..c53270e9c0 100644 --- a/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock +++ b/__tests__/fixtures/install/install-update-auth-sha1/yarn.lock @@ -4,7 +4,7 @@ abab@^1.0.4: version "1.0.4" - resolved "https://registry.yarnpkg.com/abab/-/abab-1.0.4.tgz#foo" + resolved "https://registry.yarnpkg.com/abab/-/abab-1.0.4.tgz#5faad9c2c07f60dd76770f71cf025b62a63cfd4e" integrity sha1-X6rZwsB/YN12dw9xzwJbYqY8/U4= leftpad@^0.0.1: diff --git a/src/fetchers/tarball-fetcher.js b/src/fetchers/tarball-fetcher.js index 4f65dad7db..916f739410 100644 --- a/src/fetchers/tarball-fetcher.js +++ b/src/fetchers/tarball-fetcher.js @@ -88,10 +88,12 @@ export default class TarballFetcher extends BaseFetcher { reject: (error: Error) => void, tarballPath?: string, ): { - validateStream: ssri.integrityStream, + hashValidateStream: stream.PassThrough, + integrityValidateStream: stream.PassThrough, extractorStream: stream.Transform, } { - const integrityInfo = this._supportedIntegrity(); + const hashInfo = this._supportedIntegrity({hashOnly: true}); + const integrityInfo = this._supportedIntegrity({hashOnly: false}); const now = new Date(); @@ -124,7 +126,9 @@ export default class TarballFetcher extends BaseFetcher { }, }); - const validateStream = new ssri.integrityStream(integrityInfo); + const hashValidateStream = new ssri.integrityStream(hashInfo); + const integrityValidateStream = new ssri.integrityStream(integrityInfo); + const untarStream = tarFs.extract(this.dest, { strip: 1, dmode: 0o755, // all dirs should be readable @@ -138,10 +142,13 @@ export default class TarballFetcher extends BaseFetcher { }); const extractorStream = gunzip(); - validateStream.once('error', err => { + hashValidateStream.once('error', err => { + this.validateError = err; + }); + integrityValidateStream.once('error', err => { this.validateError = err; }); - validateStream.once('integrity', sri => { + integrityValidateStream.once('integrity', sri => { this.validateIntegrity = sri; }); @@ -192,7 +199,7 @@ export default class TarballFetcher extends BaseFetcher { }); }); - return {validateStream, extractorStream}; + return {hashValidateStream, integrityValidateStream, extractorStream}; } getLocalPaths(override: ?string): Array { @@ -217,9 +224,16 @@ export default class TarballFetcher extends BaseFetcher { invariant(stream, 'stream should be available at this point'); // $FlowFixMe - This is available https://nodejs.org/api/fs.html#fs_readstream_path const tarballPath = stream.path; - const {validateStream, extractorStream} = this.createExtractor(resolve, reject, tarballPath); + const {hashValidateStream, integrityValidateStream, extractorStream} = this.createExtractor( + resolve, + reject, + tarballPath, + ); + + stream.pipe(hashValidateStream); + hashValidateStream.pipe(integrityValidateStream); - stream.pipe(validateStream).pipe(extractorStream).on('error', err => { + integrityValidateStream.pipe(extractorStream).on('error', err => { reject(new MessageError(this.config.reporter.lang('fetchErrorCorrupt', err.message, tarballPath))); }); }); @@ -243,19 +257,23 @@ export default class TarballFetcher extends BaseFetcher { const tarballMirrorPath = this.getTarballMirrorPath(); const tarballCachePath = this.getTarballCachePath(); - const {validateStream, extractorStream} = this.createExtractor(resolve, reject); + const {hashValidateStream, integrityValidateStream, extractorStream} = this.createExtractor( + resolve, + reject, + ); - req.pipe(validateStream); + req.pipe(hashValidateStream); + hashValidateStream.pipe(integrityValidateStream); if (tarballMirrorPath) { - validateStream.pipe(fs.createWriteStream(tarballMirrorPath)).on('error', reject); + integrityValidateStream.pipe(fs.createWriteStream(tarballMirrorPath)).on('error', reject); } if (tarballCachePath) { - validateStream.pipe(fs.createWriteStream(tarballCachePath)).on('error', reject); + integrityValidateStream.pipe(fs.createWriteStream(tarballCachePath)).on('error', reject); } - validateStream.pipe(extractorStream).on('error', reject); + integrityValidateStream.pipe(extractorStream).on('error', reject); }, }, this.packageName, @@ -311,8 +329,8 @@ export default class TarballFetcher extends BaseFetcher { return this.fetchFromLocal().catch(err => this.fetchFromExternal()); } - _findIntegrity(): ?Object { - if (this.remote.integrity) { + _findIntegrity({hashOnly}: {hashOnly: boolean}): ?Object { + if (this.remote.integrity && !hashOnly) { return ssri.parse(this.remote.integrity); } if (this.hash) { @@ -321,12 +339,12 @@ export default class TarballFetcher extends BaseFetcher { return null; } - _supportedIntegrity(): {integrity: ?Object, algorithms: Array} { - const expectedIntegrity = this._findIntegrity() || {}; + _supportedIntegrity({hashOnly}: {hashOnly: boolean}): {integrity: ?Object, algorithms: Array} { + const expectedIntegrity = this._findIntegrity({hashOnly}) || {}; const expectedIntegrityAlgorithms = Object.keys(expectedIntegrity); const shouldValidateIntegrity = (this.hash || this.remote.integrity) && !this.config.updateChecksums; - if (expectedIntegrityAlgorithms.length === 0 && !shouldValidateIntegrity) { + if (expectedIntegrityAlgorithms.length === 0 && (!shouldValidateIntegrity || hashOnly)) { const algorithms = this.config.updateChecksums ? ['sha512'] : ['sha1']; // for consistency, return sha1 for packages without a remote integrity (eg. github) return {integrity: null, algorithms}; diff --git a/src/package-fetcher.js b/src/package-fetcher.js index 3f4c24e42e..e03ea9544f 100644 --- a/src/package-fetcher.js +++ b/src/package-fetcher.js @@ -9,8 +9,24 @@ import * as fetchers from './fetchers/index.js'; import * as fs from './util/fs.js'; import * as promise from './util/promise.js'; -async function fetchCache(dest: string, fetcher: Fetchers, config: Config): Promise { - const {hash, package: pkg} = await config.readPackageMetadata(dest); +const ssri = require('ssri'); + +async function fetchCache( + dest: string, + fetcher: Fetchers, + config: Config, + integrity: ?string, +): Promise { + // $FlowFixMe: This error doesn't make sense + const {hash, package: pkg, remote} = await config.readPackageMetadata(dest); + + if (integrity) { + if (!remote.integrity || !ssri.parse(integrity).match(remote.integrity)) { + // eslint-disable-next-line yarn-internal/warn-language + throw new MessageError('Incorrect integrity when fetching from the cache'); + } + } + await fetcher.setupMirrorFromCache(); return { package: pkg, @@ -40,7 +56,7 @@ export async function fetchOneRemote( const fetcher = new Fetcher(dest, remote, config); if (await config.isValidModuleDest(dest)) { - return fetchCache(dest, fetcher, config); + return fetchCache(dest, fetcher, config, remote.integrity); } // remove as the module may be invalid From 20d76c32c9622996742fef283368581cb05cca0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Sat, 28 Sep 2019 15:20:34 +0200 Subject: [PATCH 2/7] Adds a test --- __tests__/commands/install/integration.js | 5 +++++ .../invalid-checksum-good-integrity/package.json | 14 ++++++++++++++ .../invalid-checksum-good-integrity/yarn.lock | 8 ++++++++ .../ponyhooves/-/ponyhooves-1.0.1.tgz.bin | Bin 0 -> 1742 bytes 4 files changed, 27 insertions(+) create mode 100644 __tests__/fixtures/install/invalid-checksum-good-integrity/package.json create mode 100644 __tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock create mode 100644 __tests__/fixtures/request-cache/GET/registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz.bin diff --git a/__tests__/commands/install/integration.js b/__tests__/commands/install/integration.js index 146c96065a..899811f7f2 100644 --- a/__tests__/commands/install/integration.js +++ b/__tests__/commands/install/integration.js @@ -632,6 +632,11 @@ test('install should be idempotent', () => null, )); +test('install should fail to authenticate integrity with incorrect hash and correct sha512', () => + expect(runInstall({}, 'invalid-checksum-good-integrity')).rejects.toMatchObject({ + message: expect.stringContaining("computed integrity doesn't match our records"), + })); + test('install should authenticate integrity field with sha1 checksums', () => runInstall({}, 'install-update-auth-sha1', async config => { const lockFileContent = await fs.readFile(path.join(config.cwd, 'yarn.lock')); diff --git a/__tests__/fixtures/install/invalid-checksum-good-integrity/package.json b/__tests__/fixtures/install/invalid-checksum-good-integrity/package.json new file mode 100644 index 0000000000..8c928771a0 --- /dev/null +++ b/__tests__/fixtures/install/invalid-checksum-good-integrity/package.json @@ -0,0 +1,14 @@ +{ + "name": "badpkg", + "version": "1.0.0", + "description": "A bad package", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "UNLICENSED", + "dependencies": { + "express": "4.11.1" + } +} diff --git a/__tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock b/__tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock new file mode 100644 index 0000000000..5c2f89fa3b --- /dev/null +++ b/__tests__/fixtures/install/invalid-checksum-good-integrity/yarn.lock @@ -0,0 +1,8 @@ +# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY. +# yarn lockfile v1 + + +express@4.11.1: + version "4.11.1" + resolved "https://registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz#36d04dd27aa1667634e987529767f9c99de7903f" + integrity sha1-5XycPpdtVw+X8ik1bKXW7hPv01g= diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/ponyhooves/-/ponyhooves-1.0.1.tgz.bin new file mode 100644 index 0000000000000000000000000000000000000000..4c3db35535bed32f15d8667000a2e9074b30606b GIT binary patch literal 1742 zcmY*XZB$cN7LBb7F!E8vT2R540M-ggUcSGGQUVf{6f}w0TELf=OA;V2A$e#r7KIrY zQi;=%B0{U6fE5I_I;ay|N)ZsnSu!vpq(fB-j0D@k4vN5_%)@pq*W6!s?Yqx8d+&Q> zN@Ws*NoPVV7={wJ`jBH09EczVf=5Cu0i*yX;)N-Mm~0U&6meKkyj+r|>qHQf3B#{Z44?~i5tIpliH2n9_W&QV zf~b@ljhT9)XIdJXuF27BBpMzIVWDa+n~MmT907;NVRL{0qzgGnIu9V}2$Rbb^7uTa zfF*{2)ucBAi$sxw5%T#oLOzWJ|DSjIuO%x(zX7rc5mz zH5$Z_49880SeA{DyNM=6P#vHta0Jh>h#=YKg$Q0l3qhETSt7`QSZRnBNH}aF$OVs^ zXxkB+2;wp|+;k2M*lINs)u`DtX>7a?`9l;1CY)ekT0k^Z+i+kZP%UAc&E@c6mJc~j ziD*R-6%oQPkBf2zYCd1hQzHTtWebVBfKPN*^ARe+w3>)CX;S4I6+Dj{ zhrFiPi}d=u{d2Ox__gevyW0I7_g|9622xg|yTW_jy`QR7 zE@hoBjr#617DN;e1i+ zkfZy+qwd#rb3s2S!>`FKUybnXErqnqrut>pQ%Bv^A;BN7I5k$AP^M2g*&N*h-phVB z?QCy(#NC5(rz{3f>3_1mw#hM1N!I6HbLIt(R^NIOcK&wttvbA>Q~SR0!S4P4{(I!P z@!DEY!U)Jak)3*KIo4mbq-E60c(p&*o?3PNTE*OtlwW$|pY~pf%&R-7irLX|ggskc zGf}p$eR_IgdbH?vR58`!?pRy~+mq(z%c)^~QvcsyFj#UHQw*!(UwC~$71@2)K^xlI zJ&+fEt`j#MQtOTO%tL{C`QA=tUvZPl(>3V7A~Yz_=^an~S5hpyG_>bXlmY4c+8@abS#q4q2?soklxD7TY-^ZfSYpQ3RKfGOiI-4I;)3lOr6W<|s_63Q*5f3(d1qW5O*)M`i zQ|k7o0e_w#8#-a%p{9b_gCshmu;J+NM+t2wg1UOMmxdOYM&Qe-Jt;e-Zpyte@!E)k z&+^hw*Vnr~CwWKJho8YpR&}KEDgG-<_cIg^K0R04_$R!z5PP!r`kvU*aIYC%Mxp7y z&WuGvtEL8|xj{PBkldP=diUn3!|$v=yXY%ZLDOoXbs*`;^Q45o+Vc&2I!8RcH&zVz zYj@Y|+Q+sAdAqh&7918#c Date: Sat, 28 Sep 2019 15:47:22 +0200 Subject: [PATCH 3/7] Revert "Fixes the problem another way" This reverts commit 29a8c583179ec77b5fdcdd3ce348bbe08ecd2abf. --- __tests__/commands/install/integration.js | 6 +- .../corrupted-meta-empty/.yarn-metadata.json | 0 .../corrupted-meta-not-existing/.gitkeep | 0 .../corrupted-meta-typo/.yarn-metadata.json | 0 .../node_modules/good/.yarn-metadata.json | 0 .../package.json.bin | 61 ------------------ .../GET/registry.yarnpkg.com/is-pnp.bin | 18 ------ .../is-pnp/-/is-pnp-1.0.2.tgz.bin | Bin 2045 -> 0 bytes src/config.js | 12 ++-- 9 files changed, 8 insertions(+), 89 deletions(-) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v5 => v4}/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json (100%) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v5 => v4}/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep (100%) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v5 => v4}/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json (100%) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v5 => v4}/good/node_modules/good/.yarn-metadata.json (100%) delete mode 100644 __tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin delete mode 100644 __tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin delete mode 100644 __tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp/-/is-pnp-1.0.2.tgz.bin diff --git a/__tests__/commands/install/integration.js b/__tests__/commands/install/integration.js index 899811f7f2..fc35aadf9e 100644 --- a/__tests__/commands/install/integration.js +++ b/__tests__/commands/install/integration.js @@ -245,7 +245,7 @@ test('changes the cache path when bumping the cache version', () => }); })); -test.skip('changes the cache directory when bumping the cache version', () => +test('changes the cache directory when bumping the cache version', () => runInstall({}, 'install-production', async (config, reporter): Promise => { const lockfile = await Lockfile.fromDirectory(config.cwd); @@ -800,7 +800,7 @@ test('install should fail with unsupported algorithms', () => message: expect.stringContaining('none of the specified algorithms are supported'), })); -test('install should update integrity in yarn.lock (--update-checksums)', () => +test.concurrent('install should update integrity in yarn.lock (--update-checksums)', () => runInstall({updateChecksums: true}, 'install-update-checksums', async config => { const lockFileLines = explodeLockfile(await fs.readFile(path.join(config.cwd, 'yarn.lock'))); expect(lockFileLines[3]).toEqual( @@ -811,7 +811,7 @@ test('install should update integrity in yarn.lock (--update-checksums)', () => }), ); -test('install should update malformed integrity string in yarn.lock (--update-checksums)', () => +test.concurrent('install should update malformed integrity string in yarn.lock (--update-checksums)', () => runInstall({updateChecksums: true}, 'install-update-checksums-malformed', async config => { const lockFileLines = explodeLockfile(await fs.readFile(path.join(config.cwd, 'yarn.lock'))); expect(lockFileLines[3]).toEqual( diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep b/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/good/node_modules/good/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/good/node_modules/good/.yarn-metadata.json similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v5/good/node_modules/good/.yarn-metadata.json rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v4/good/node_modules/good/.yarn-metadata.json diff --git a/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin b/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin deleted file mode 100644 index 749fa66b15..0000000000 --- a/__tests__/fixtures/request-cache/GET/gitlab.com/leanlabsio/kanban/raw/7f21696fb9d08130dd62abd96c9572f513c05301/package.json.bin +++ /dev/null @@ -1,61 +0,0 @@ -HTTP/1.1 200 OK -Server: nginx -Date: Fri, 27 Sep 2019 23:51:06 GMT -Content-Type: text/plain; charset=utf-8 -Content-Length: 1181 -Cache-Control: max-age=3600, public -Content-Disposition: inline -Etag: W/"78309fbf8af4479c47eca65b0c5e3f51" -Referrer-Policy: strict-origin-when-cross-origin -X-Content-Type-Options: nosniff -X-Download-Options: noopen -X-Frame-Options: DENY -X-Permitted-Cross-Domain-Policies: none -X-Request-Id: graoMBsFby9 -X-Runtime: 0.066962 -X-Ua-Compatible: IE=edge -X-Xss-Protection: 1; mode=block -Strict-Transport-Security: max-age=31536000 -Referrer-Policy: strict-origin-when-cross-origin -GitLab-LB: fe-02-lb-gprd -GitLab-SV: web-14-sv-gprd - -{ - "name": "kanban", - "version": "0.0.1", - "repository": "gitlab.com/leanlabsio/kanban", - "scripts": { - "install": "npm install", - "build": "grunt build", - "watch": "grunt watch" - }, - "devDependencies": { - "grunt": "~0.4.1", - "grunt-cli": "~0.1.13", - "grunt-contrib-copy": "^0.5.0", - "grunt-contrib-concat": "~0.5.0", - "grunt-contrib-watch": "~0.5.3", - "grunt-contrib-uglify": "~0.7.0", - "grunt-sass": "1.0.0", - "grunt-contrib-connect": "~0.8.0", - "grunt-connect-proxy": "~0.1.11" - }, - "dependencies": { - "angular": "=1.5.6", - "angular-lodash": "https://github.com/EMSSConsulting/angular-lodash.git#68a726c", - "foundation-sites": "5.5.2", - "angular-foundation": "https://github.com/pineconellc/angular-foundation.git#8f3f260", - "angular-loading-bar": "=0.5.2", - "angular-storage": "=0.0.6", - "angular-ui-router": "=0.3.0", - "angularjs-datepicker": "=0.2.15", - "font-awesome": "=4.6.3", - "markdown-it": "=5.0.2", - "markdown-it-emoji": "=1.1.0", - "ng-sortable": "=1.3.6", - "sass-flex-mixin": "=1.0.3", - "lodash": "=4.13.1", - "twemoji": "=2.1.0", - "angular-file-upload": "=2.3.4" - } -} diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin deleted file mode 100644 index 0a74886059..0000000000 --- a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp.bin +++ /dev/null @@ -1,18 +0,0 @@ -HTTP/1.1 200 OK -Date: Fri, 27 Sep 2019 22:17:23 GMT -Content-Type: application/vnd.npm.install-v1+json -Content-Length: 4072 -Connection: keep-alive -Set-Cookie: __cfduid=dadfb9c119f3195f6f00e4492573791c41569622642; expires=Sat, 26-Sep-20 22:17:22 GMT; path=/; domain=.registry.yarnpkg.com; HttpOnly -CF-Cache-Status: REVALIDATED -Cache-Control: max-age=300 -CF-Ray: 51d0d8eac82f3c81-CDG -Accept-Ranges: bytes -ETag: "49fffc656197ace1f624570132931c23" -Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" -Last-Modified: Thu, 01 Nov 2018 01:11:09 GMT -Vary: accept-encoding, accept -x-amz-meta-rev: 3-72d30e72712ca5e8a55f6613d7a30236 -Server: cloudflare - -{"versions":{"1.0.0":{"name":"is-pnp","version":"1.0.0","bin":{"is-pnp":"./bin.js"},"_hasShrinkwrap":false,"directories":{},"dist":{"shasum":"47d3d7151df242eb7ca4768fc2e7f6228871899a","integrity":"sha512-Lx0Sh5h20HtLz+xnlh4NRhQ6w231tGN4yuU3oBi6vn7oSbiIk2V4sqoIn00bczm9ojwkFPzzFUeSOIKEgYpszA==","tarball":"https://registry.npmjs.org/is-pnp/-/is-pnp-1.0.0.tgz","fileCount":5,"unpackedSize":2268,"npm-signature":"-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJb2lGmCRA9TVsSAnZWagAARHYP/1botUA//2RoqJEP3nHB\nnQ0G1qhSYL685aLgZTWJW9pS3ucPzxxeofbnByOsbSjUqycwsHBqL/DDeYsq\nz3b0dmfcfESK+CSafYECSnj8kPJH5N5VU2UXs+A+wLEM0D0nSe4wfJLVptA0\nrOpeYrkfwX8ZC1EGLGvQM4cMqpk3Ji6RBZHtD0U/ttYR3A0vP5P76oO2/tBl\n3QSK3nJSpU83OkMBPVY3hnDrGkCjJqwvcqWoWUG0/BtHS5KYD99yrxFAzT5f\nMhtqCZiediDcGtrMhP5b0VAkqdrwFPg/tZPpgqYCevR+2ipWhkxhD0Z4yyx1\n2AuJnEoQKRiBiFPIv5aiJZD9Jj00iey4tdQ1NcXnRtAA16Lo0t4MX/OnkyJW\nBfcSd795mVpe4AO9u6bqMDZfkQrBRunxa7OKKCEXUGihm0YNtTWKat5ym1ia\n9H9Bwlgm3GoFAuHQMu07ZEwidLpWoQfjrTUOufw+/rKNSIRoMNuL3Z/8i4Hj\nazYRMgdzb9rkf6+F7LLJKnyZaDY/bS/KIb61LdkfkX8JCcKUfhVAd5KIvI4e\nAwLAUfHwWM2u2smbexFzvgvXnNFmVrcCGBbMcIrQ+JfiJ+izFVJ7YyLY+Fpt\nwxbV0Vug6gyYDyDtjFCdeL2wFmgR3+nASXWFY4CZ+ZoFX+ontSZ4U5b9PTIs\n1ojq\r\n=DAoM\r\n-----END PGP SIGNATURE-----\r\n"},"engines":{"node":">=6"}},"1.0.1":{"name":"is-pnp","version":"1.0.1","bin":{"is-pnp":"./sources/cli.js"},"_hasShrinkwrap":false,"directories":{},"dist":{"shasum":"ec0e4e443287214ce90bcb6fcd112d20de51f120","integrity":"sha512-uwFQ9SabYoNJwZnDqHUs+WTPvegmoLHjVQqkX4+MiKSjhRBRk+n/zKBAex4yvWnzbN352W7FUuYX8L5yEVmiVA==","tarball":"https://registry.npmjs.org/is-pnp/-/is-pnp-1.0.1.tgz","fileCount":5,"unpackedSize":2276,"npm-signature":"-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJb2lJICRA9TVsSAnZWagAAX2IP/jE0+3aAdO7cu9DXNJnb\njoi3rDo8CRfARhWbJRhUj7omDxeP37U3dIIkK69AL8XZSPPUQ8o2uH1AOjZB\niI8cp0IX4bgalRXzEWPj3v8l3z6/BwJoUXy7N5ugdxron+AYj4kS4I1jI6Pa\nUo3z096sc8zAgXFE00RiKwUBGNw+4xpg0yVri/vXpezsahi8r4qZbrc9/hr3\nWzoIK6GwQnGpn5FEhdiuPbB0QiZvalYHn5v2IWtMpQG4ed6jM/vSBAqKqkFv\n95McUD13wz7iJ59BaJHwbypD/WFWz34ZBPZ8QpONk6UAJ2IZwh6J2Wj44k7a\nNtiEj3xo3A5stikfELI//H0AruTI6sSI++EJ8YvHQUj73s6kG0Z/FzPptgKp\nKYLSqXNAC/zHiId1s7uj+jsCLXIm4G2bPQUTsDMfejDS6TfjAVO2COxRF34q\ncLGzYFL1/R+/hO4ckoLl7vz6Vm/zSlMaxZPDUFDy8d0ScxHZOL+760cdIhjT\nr1XGyXAmyjGLWTHvA6sE5X0H0PgghQErsLYXi679KBdnZjN2+Xcmv0pNIqbg\nwS7SBjV+KGpc1PnwtZdfvZcegvY+252zsBvRye9/hcQ0Rdmetbod8XicA3Bw\nuTLC2N9opHeTI7a9bKrACXkSApJftjzYSfnycb27r9bgIAY6BeNhr7JFEMKV\nnxUD\r\n=8Blc\r\n-----END PGP SIGNATURE-----\r\n"},"engines":{"node":">=6"}},"1.0.2":{"name":"is-pnp","version":"1.0.2","bin":{"is-pnp":"./sources/cli.js"},"_hasShrinkwrap":false,"directories":{},"dist":{"shasum":"cbe5d6ad751897822fd92539ac5cfa37c04f3852","integrity":"sha512-BzoewUq0EZFJYKlYpObv2xRdTRJQXwMLbk2Y5l8Dhl0EQGPhdPrSdBlQaAT46gIKjAkNBNScDiUDbuBCTDNCsQ==","tarball":"https://registry.npmjs.org/is-pnp/-/is-pnp-1.0.2.tgz","fileCount":5,"unpackedSize":2282,"npm-signature":"-----BEGIN PGP SIGNATURE-----\r\nVersion: OpenPGP.js v3.0.4\r\nComment: https://openpgpjs.org\r\n\r\nwsFcBAEBCAAQBQJb2lKpCRA9TVsSAnZWagAAkFcP+QHfioEIu01ww57y/Jnw\neOtM4JPvx0hDMKxMBKSyvVHmjZKwqxvkAnqdyybHts7i6auvuuMKDO43oaRO\n5GY5i/u29arwBKnPgeVrC6TUnbVxiSP4KBtfzRs3YCXbQ0MfSPmXiH4nzzi/\ngWeNGutgCAbefJjB0eahVCUgO7DL+sM8kEt2iNSDM1gKUDSVq5yvsZD20tX+\n/60eLG4xtz/2zXDKjoqo+DZtvW9kdLJ6TlvbDU1mt1OBSzkTiakIe1XXymVT\n+gRC0QGKGMP+YJG+VothHez/JAagl/92c/JDsb54HkW/OkUKCHFyUAw0P3h1\n46p0vEr54rHa7wT6O0fKg7q+MN1mMOKR3wO258LQW20n+DQJK1hxcJOkk+xf\n6iOa2d6Ywox9yT9B/V555BEZ2fYbnNb4gw+oo3/YyJcZ1Ooadt5kvEyDb67+\ntOaOMBXZh7/FR8EghwBBqlOndWCD4OQYVXVCwIdf/PFyUtB1+Obd4/1H+Dkw\nmg01pi7jYHG8mKLIMNdjggWi966nJ3fZqBDLW0eRtFzCbe+8VSOPKGRSHHnI\n99SD9oY/dgmimcakZ3hInuGlMGf0UrSLjHwi24y0ae1O0AlnQz0bXU0qHAH2\nH/Npr3zjOcAULwvHqtu2l1mNv/PX8GtafyybiMaXBcERearcUN/48tbvcbFX\nZmBP\r\n=z5fE\r\n-----END PGP SIGNATURE-----\r\n"},"engines":{"node":">=6"}}},"name":"is-pnp","dist-tags":{"latest":"1.0.2"},"modified":"2018-11-01T01:11:07.975Z"} \ No newline at end of file diff --git a/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp/-/is-pnp-1.0.2.tgz.bin b/__tests__/fixtures/request-cache/GET/registry.yarnpkg.com/is-pnp/-/is-pnp-1.0.2.tgz.bin deleted file mode 100644 index 083e13e41539160aa705bc126d13d1808b5bd6f1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2045 zcmY*XX;f3!8YLj=iv|JF8Wp*yU|I+n$#5Z7h%(Pc6sX|!=4KE`Lb#v^HVufNK)`_p zP)tRhZBc4*2&|_ff}{Z&1qB2ZjUvTrv<_7qNiV*)mg}8gXYI4U@7sHSCqy8Kq0oG2 z0G&z&qQeRJ)ewq+K#)@E4ba)ZT10`p(6|7d4${~lodE<#3J7?9683IqyK_C@D6l5q(nvD?fYq3hc zT%Ib$dZwhnB4L(P$P)?~ECvmtAqb7b@%3ejL|i69<*=zj1YxkbOcBkO#bwdyEGEMb zK(;BQN+grF7D6%kEHWmaOsD>zct1b^p%Na&4-m@JA*qb#qeR3~OmL1*4y2SRQpG;7 zJlzinK~Y7tEG-9<8${+qummBmMIkgR69hs+ry}?SO$DKpr-48^w2cgj5gwC)1xfu> z6bI#ifG<;}9ioaDFo#CwuMQ^Q17H|YpyW76CPuJ^n{!Yk6GO$AaXO7kr85cm zH3CQs0!wKy8(}e6G$xzHLO2`_1Tz>cuCEA&H*?vLh`AJFZc|`slKFzqDp*t|hf4JZ zl!!vEM9Eo7DQ~F+Gn5HZD4#JOI8B}<6s18*WXdxI7Rt!5SW4N9KrpsSEX=9CFpABH zfHF~Xq+BQ!Nf99k2qanF0F?$r$+M@v2M4=@G#W_d{`Y&tLrTp0|4got!C0M4JhfkC zHlhT9&tnOA0^Y4;rp>1__sNEPvRf?2r*dBB0I~OSjE9$IBhW!7>EmXd_Tb0Y*soC= zozoeWp#cZ(6ZvkEp`H*o-b1PgQx9qSbA0Oc6;G)6u?uPHX{abE{)l!@GlOcp_NS z6tM(n_p*=2eS7O&bNQ{oW0Q?h%_XnC)}LTKa#Q!{9(bL!;$oir!_~)X19UFSeWsn5 zU%#PZu_3KA5%8`#wj6iZZnUtUZVWe&4tCUNxy76x6Wp0kUR}T8oz(8yWj|&y-K!(f zGq%*AT=wPseN3n6W1cswwu%Z+*p~ld0^rX;?(*+FQ@8r$PB`_l$({2M(#MT>qqTw3TFTPBFJ2S&+-e$yEH3d53%t z-XtcLg|^lQ_J{Hv=^H!z%Qpl#yNbB(ZQ`mQNV>VMcun451+-a#)6I8UXIWNCN(%1@ zoFDrvp=pn@&KMl{tSac?oRWoFdP749qsAFmw1CL;e6`20*ETfdfGq-KEvgK2r_3_$ zCMg$&yMYTkrPU!0i?YJBXM!qv*4gev6Y-_1Ui3p_j6P6U*Vs-!Tq*8An3O_O!RDcdML|ht+mZry11N?k9dbBtvr-v(Xl1hgwCnO`N9x zBDp|?({Ckw-IAO#WBj)abA+dPhFN3a-?+rR@t8n)|I38)m5kc)A}X4}K6<@({dZ@* zZd8Yem#uh6P)Ky=`0Vq8_u2`(KVRC`-lXaadY^1`cw%GFUK-MIX5I~MKKyv&wBq}v ziz!UUdE;$4g?3f5E%#yqhPB3(F(0;1z5x{}4uK2abhH-iA9tXizFHJzUl{Oem)`H% z5qY^qt4SO?s$Eq*VEJXbrY6vTk?KP4D;_cE>O{Lu5g0_=IT3#H_U@wvt}Sz`D@xje zC+M{;?dziywc~oN{QFX!hxAb3(Jf}eg__1Wi{c<6d2|~?SMkWW{_(z% zOgQn1u1P$~OzhD+LrItQF|{(5&oKenH$pwW+<&+#BP`=(dViL7zvr8?BfmSde(NY} z8{U(>#`P-s+EdFp8Q;`;ys@cs@9c>)0$G$QGtD?AaQ#^4ulaSP`j&fi&s&X^9&Oz_ zBd^%GD?P&)YOp77YrT`5c!JS6>%xH1tq?J0C9RToZSQ=!TB-VImb;Ewc36q=yO0gq z#?aE_vOAK$Uh76qMzHQ$-}&abl$QU;+62C^UOewSbk~|UefVe9N8;p}1#S%&2To-_ zy1TL|@%^Ng`@sBj!k*igv(xUU;b3a&B_`$yB_q&?37c2-R Q<=6)tvHz^mX0eUUKUe8?`v3p{ diff --git a/src/config.js b/src/config.js index b0ca8fdbe8..0caee02469 100644 --- a/src/config.js +++ b/src/config.js @@ -509,18 +509,16 @@ export default class Config { slug = `unknown-${slug}`; } - const {hash, resolved} = pkg.remote; + const {hash, integrity} = pkg.remote; if (pkg.version) { slug += `-${pkg.version}`; } - if (resolved) { - if (hash) { - slug += `-${crypto.createHmac('sha1', resolved).update(hash).digest('hex')}`; - } else { - slug += `-${crypto.createHash('sha1').update(resolved).digest('hex')}`; - } + if (pkg.uid && pkg.version !== pkg.uid) { + slug += `-${pkg.uid}`; + } else if (integrity != null) { + slug += `-${crypto.createHash('sha1').update(integrity.toString()).digest('hex')}`; } else if (hash) { slug += `-${hash}`; } From 86f1e58f1fe45cde859bfc31511527a0e7463961 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Sat, 28 Sep 2019 15:47:30 +0200 Subject: [PATCH 4/7] Revert "Fixes tests" This reverts commit 9322e76fba6a83696ec7104c1af3111ab58a0fff. --- src/config.js | 6 ++++-- src/constants.js | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/config.js b/src/config.js index 0caee02469..10b6c9d8a0 100644 --- a/src/config.js +++ b/src/config.js @@ -517,12 +517,14 @@ export default class Config { if (pkg.uid && pkg.version !== pkg.uid) { slug += `-${pkg.uid}`; - } else if (integrity != null) { - slug += `-${crypto.createHash('sha1').update(integrity.toString()).digest('hex')}`; } else if (hash) { slug += `-${hash}`; } + if (integrity != null) { + slug += `-${crypto.createHash('sha1').update(integrity).digest('hex')}`; + } + return slug; } diff --git a/src/constants.js b/src/constants.js index 5ff07af051..cb4f587288 100644 --- a/src/constants.js +++ b/src/constants.js @@ -28,7 +28,7 @@ export const YARN_INSTALLER_MSI = 'https://yarnpkg.com/latest.msi'; export const SELF_UPDATE_VERSION_URL = 'https://yarnpkg.com/latest-version'; // cache version, bump whenever we make backwards incompatible changes -export const CACHE_VERSION = 5; +export const CACHE_VERSION = 4; // lockfile version, bump whenever we make backwards incompatible changes export const LOCKFILE_VERSION = 1; From 4aad7db56fcd57377d12d904ede6820fd4f88552 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Sat, 28 Sep 2019 15:47:49 +0200 Subject: [PATCH 5/7] Revert "Fixes flow linting" This reverts commit 431a9e96405f43a60b3ffa3034921ec8d321a403. --- src/config.js | 7 +------ src/lockfile/index.js | 2 +- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/config.js b/src/config.js index 10b6c9d8a0..2fdf5ff162 100644 --- a/src/config.js +++ b/src/config.js @@ -17,7 +17,6 @@ import {registries, registryNames} from './registries/index.js'; import {NoopReporter} from './reporters/index.js'; import map from './util/map.js'; -const crypto = require('crypto'); const detectIndent = require('detect-indent'); const invariant = require('invariant'); const path = require('path'); @@ -509,7 +508,7 @@ export default class Config { slug = `unknown-${slug}`; } - const {hash, integrity} = pkg.remote; + const {hash} = pkg.remote; if (pkg.version) { slug += `-${pkg.version}`; @@ -521,10 +520,6 @@ export default class Config { slug += `-${hash}`; } - if (integrity != null) { - slug += `-${crypto.createHash('sha1').update(integrity).digest('hex')}`; - } - return slug; } diff --git a/src/lockfile/index.js b/src/lockfile/index.js index 5926106dfb..ab6e9f970c 100644 --- a/src/lockfile/index.js +++ b/src/lockfile/index.js @@ -179,7 +179,7 @@ export default class Lockfile { reporter.info(reporter.lang('noLockfileFound')); } - if (lockfile && lockfile.__metadata) { + if (lockfile.__metadata) { const lockfilev2 = lockfile; lockfile = {}; } From fff4c4d1c46327c803c30e9731e2e6f21efa2595 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Sat, 28 Sep 2019 15:48:34 +0200 Subject: [PATCH 6/7] Fixes flow --- src/lockfile/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lockfile/index.js b/src/lockfile/index.js index ab6e9f970c..5926106dfb 100644 --- a/src/lockfile/index.js +++ b/src/lockfile/index.js @@ -179,7 +179,7 @@ export default class Lockfile { reporter.info(reporter.lang('noLockfileFound')); } - if (lockfile.__metadata) { + if (lockfile && lockfile.__metadata) { const lockfilev2 = lockfile; lockfile = {}; } From 72b69463c99bfaee4581883ac631ab3da8fe15a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ma=C3=ABl=20Nison?= Date: Sat, 28 Sep 2019 15:53:21 +0200 Subject: [PATCH 7/7] Back to v5 we are --- .../node_modules/corrupted-meta-empty/.yarn-metadata.json | 0 .../node_modules/corrupted-meta-not-existing/.gitkeep | 0 .../node_modules/corrupted-meta-typo/.yarn-metadata.json | 0 .../{v4 => v5}/good/node_modules/good/.yarn-metadata.json | 0 src/constants.js | 2 +- 5 files changed, 1 insertion(+), 1 deletion(-) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v4 => v5}/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json (100%) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v4 => v5}/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep (100%) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v4 => v5}/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json (100%) rename __tests__/fixtures/cache/corrupted/.yarn-cache/{v4 => v5}/good/node_modules/good/.yarn-metadata.json (100%) diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-empty/node_modules/corrupted-meta-empty/.yarn-metadata.json diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep b/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-not-existing/node_modules/corrupted-meta-not-existing/.gitkeep diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v5/corrupted-meta-typo/node_modules/corrupted-meta-typo/.yarn-metadata.json diff --git a/__tests__/fixtures/cache/corrupted/.yarn-cache/v4/good/node_modules/good/.yarn-metadata.json b/__tests__/fixtures/cache/corrupted/.yarn-cache/v5/good/node_modules/good/.yarn-metadata.json similarity index 100% rename from __tests__/fixtures/cache/corrupted/.yarn-cache/v4/good/node_modules/good/.yarn-metadata.json rename to __tests__/fixtures/cache/corrupted/.yarn-cache/v5/good/node_modules/good/.yarn-metadata.json diff --git a/src/constants.js b/src/constants.js index cb4f587288..5ff07af051 100644 --- a/src/constants.js +++ b/src/constants.js @@ -28,7 +28,7 @@ export const YARN_INSTALLER_MSI = 'https://yarnpkg.com/latest.msi'; export const SELF_UPDATE_VERSION_URL = 'https://yarnpkg.com/latest-version'; // cache version, bump whenever we make backwards incompatible changes -export const CACHE_VERSION = 4; +export const CACHE_VERSION = 5; // lockfile version, bump whenever we make backwards incompatible changes export const LOCKFILE_VERSION = 1;